A walkthrough to deobfuscating a ConfuserEx v1.0.0-4 g3fd0d55 protected .NET application

In this blog post, I will show you how to deobfuscated a ConfuserEx protected .NET application.

Unfortunately, there is a lot of videos on YouTube about how to deobfuscate such programs but these videos are so complicated and the instructions are either convoluted or do not yield a good result.

Let’s get started.

Step 1 – Inspecting the binary

You will need to get the dnSpy tool from here: https://github.com/0xd4d/dnSpy/releases

Open the program with dnSpy (or drag and drop it):

At first inspection, we can tell there’s obfuscation due to the name of the entrypoint at line 4 (being so cryptic). Additionally, if you click on the “ConfusedTest.exe” node, you will see more attributes and the obfuscator name (ConfuserEx v1.0.0-4-g3fd0d55):

Continue reading “A walkthrough to deobfuscating a ConfuserEx v1.0.0-4 g3fd0d55 protected .NET application”

Introducing Ganxo v0.1 – An open source API hooking framework

Hello,

Today I release the first Alpha version of Ganxo (pronounced as “Gun Show” or “Gan Chou”), an open source API hooking framework. In Catalan, Ganxo means “hook”, thus the framework’s name.

Writing an API hooking framework was always on my to do list. I started developing Ganxo back in April 2016 and after two weeks of development during my free time, I got busy with other things and abandoned my efforts.

My initial goals were to accomplish the following before going public with it:

  • Support x86 and x64 hooking
  • Write a more extensive test suite
  • Fully document it

This past weekend, I decided to release Ganxo even though I have not met all my goals. As of today, Ganxo works on MS Windows and supports x86 API hooking. The groundwork is laid down and it should be easy to add x64 bits hooking support on Windows or even just port it to other operating systems.

Feel free to clone the code from here and start using it today.

Stay tuned, I plan more features in the coming future!

flower separator
batchography-good-resDo you want to master Batch Files programming? Look no further, the Batchography is the right book for you.

Available in print or e-book editions from Amazon.
flower separator

You might also like:

7 DLL injection techniques in Microsoft Windows

In this article, I am going to list half a dozen DLL injection techniques that can be used by a user mode process running on MS Windows. There could be more techniques but I am sharing with you the techniques that I had first hand experience with.

1. AppInit_DLLs

People used to rely on the AppInit_DLLs registry key. The OS loader queries this value and loads the DLLs specified there when a process is created. I have not used this technique in a long while (last time I used it was on Windows XP) and I heard it is now restricted or discontinued because it was widely used by malware.

2. SetWindowsHookEx API

The SetWindowsHookEx API installs an application-defined hook procedure into a given hook chain. There are various supported hook chains (CBT, Journal, Window messages, keyboard, mouse, etc).

When using the SetWindowsHookEx API, you are instructing the operating system to inject your custom hook DLL into other process where it is relevant. The Windows hooks work when the other processes import / use functionality from USER32.dll.

Continue reading “7 DLL injection techniques in Microsoft Windows”

Hiew+ – Editing process memory with Hiew hex editor

What’s is Hiew+

Hiew+ is based on the FsPlus project. FsPlus is an implementation of an idea that allows you to access non disk files as if they were disk files. Hiew+ is a real life example of FsPlus where we take Hiew (an excellent hex editor) and turn it into an excellent process editor. Each process will be viewed as a file with a size as much as SYSTEM_INFO.lpMaximumApplicationAddress returns. In theory FsPlus should work with any hex editor to provide process memory editing, but this release is just Hiew ready.

Hiew+ editing the process memory of a process being debugged by IDA Pro

Usage

To use FsPlus, you need to inject FsPlus.dll into Hiew’s process memory so that the APIs are hooked. After APIs are hooked, FsPlus will recognize and treat in a different manner any file name that has the following form: “pid|1234” where 1234 is a given PID. To make the usage even simpler, I provid a small GUI (FsPlusGui) to allow you launch Hiew conveniently.

In fact, Hiew+ can be considered as a nice addition to your reverse engineering tools arsenal (IDA Pro‘s debugger or any other debugger, etc.).

Here’s a screenshot of the FsPlusGui:

You will need to double click on a process to have Hiew or the desired process launched with FsPlus support.
Make sure you specify the settings correctly in FsPlus.ini:

[settings]
title=Hiew+ (c) lallous <lallousz-x86@yahoo.com>
hookdll=.\fsPlus.dll
launch=c:\hiew\hiew32.exe

Features

After you run it successfully, you will be able to start editing processes as if you were editing files. The catch is every process virtual address is now a physical offset in Hiew.

Modules as IMAGE_SECTION_HEADERs

For your convenience we have created additional IMAGE_SECTION_HEADER structures in the PE header of the main process, so that each loaded module is view as a PE section:

Textual information about process’ modules

In addition to viewing modules as PE sections, you will have an actual representation of all loaded modules just after the end of the PE header:

flower separator
batchography-good-resDo you want to master Batch Files programming? Look no further, the Batchography is the right book for you.

Available in print or e-book editions from Amazon.
flower separator

No Read Errors

To avoid reading errors and such, any unreadable memory page is filled with “BAD!” pattern.

Physical and Logical disk editing

This is not something added by FsPlus, rather it is a undocumented feature of Hiew32 where you can use Hiew to edit/view logical and physical disk sectors:

Conclusion

Download – Release date: late 2008

This tool has been tested with Windows Vista (32) and Windows XP SP2 and with Hiew 7.29.
Hope you find this tool useful as Hiew itself.
Note: Please don’t contact me if you run into trouble. This tool is no longer supported.

You might also like:

Batchography: Embedding an executable file in a Batch script

batchography-good-resIn this blog post, I am going to share with you a recipe from the Batchography book that illustrates and explains in details how to embed executable files in the Batch file script and execute them after they are dropped.

This technique does not rely on using a polyglot Batch file where its first part is actually a Batch script and the other part is a VBS or JScript script. If you want to learn more about how to write polyglot Batch scripts, please refer to Chapter 4 in the Batchography book.

flower separator

Get the book from Amazon: the print editionbtn-buy-on-amazonor the e-book editionbtn-buy-on-amazon

flower separator

Continue reading “Batchography: Embedding an executable file in a Batch script”

How to check who logged in and when via Windows Remote Desktop

Hello,

Remote Deskop is a nice facility built-in Microsoft Windows from XP and up.

You can use it to remotely administer your computer or simply do programming work.

Many times you may want to keep track and see who is logging into your PC for security reasons. This article will show you how. Let’s proceed!

rdp-cover Continue reading “How to check who logged in and when via Windows Remote Desktop”

How to capture and analyze HTTP/HTTPS from your smartphone or tablet using Fiddler

Hello,

In the previous article, I showed you how to capture traffic from WiFi devices. In this article, I will illustrate how to capture HTTP/HTTPS traffic using Fiddler.

This skill is very useful for web programmers or security engineers who want to debug their application or audit third party applications that use web services over an encrypted channel. Let’s get started! Continue reading “How to capture and analyze HTTP/HTTPS from your smartphone or tablet using Fiddler”

How to capture all network traffic going through your smartphone/tablet/laptop or other wireless devices

Hello,

In this blog post, I am going to show you how to record all inbound and outbound network traffic from a wireless device (smartphone, tablet, laptop, etc…).

People desire to capture traffic for many reasons, namely for/by:

  • Security Auditing and penetration testing
  • Programmers and testers
  • Application protocol analysis and recovery
  • etc…

Let’s get started! Continue reading “How to capture all network traffic going through your smartphone/tablet/laptop or other wireless devices”